Policy formation 101

There is no tomorrow when writing a security policy. Sathya Mithra Ashok finds out what makes for an effective policy document, and how companies can go about putting together a comprehensive statement of intent.

  • E-Mail
By  Sathya Mithra Ashok Published  October 13, 2008

The identification of company objectives should be followed by an analysis of the data that flows within the firm's systems.

"The organisation needs to identify what they are trying to protect; that is one of the most important things. They should also identify who they are trying to protect it from. This will mean that they will need to narrow down the threats that they face," states Ganesh Lakshmanan, security team lead at CA in the region.

"You need to first of all identify all assets that you are trying to protect, identify the vulnerabilities and the threats associated with that, and the likelihood of the threats happening. If you feel that the threat is small but the likelihood is high, then calculate the loss that you will suffer. These are very important details to identify, so that the cost of a threat is known," adds Lakshmanan.

You need to identify all the assets that you are trying to protect, identify vulnerabilities, the threats associated with these, and the likelihood of these threats actually happening.

He stresses the need for an initial risk assessment, conducted by an external consultant, as an essential step for organisations before they get to writing the policy. The organisation can use all the processes above to recognise what it wants the specific policy to achieve. Ideally, policies should also outline incidence response and escalation route, if not deal with disaster recovery as a fully fledged topic.

Apart from the above, it is essential to understand user behaviour within the company, and how willing users will be to change procedures for the greater security picture.

"In my belief, the whole thing starts with an understanding of the way in which you want your users to behave.  Previously too much was based on negative security models. It was always a ‘thou shalt not, do not do this, do not do that and you are not allowed,' style of security. But what we have seen now within information security, is that there are much more sophisticated behavioural analysis tools, that allow you to measure the way that your data is used. This allows companies to have a positive security model, where they can understand what their staff normally does and ingrain that in their policy, as well as regularly evolve it," states Paul Davie, founder and COO of Secerno.

"The organisation should also ideally ensure that there is at least a security policy working group or a steering committee, that actually ensures this process can be institutionalised, that there is a definite course and proper continuous review," says Prasad.

According to him, the key stakeholders and representatives of organisational departments, should be a part of the team.

"The steering committee should include personnel or representatives from IT, operations, security - both physical and technological. It should include legal counsel. If the organisation has an inhouse team they should be included in the formation process; if they do not have one, they should get some outside legal advice once the policy has been formed to ensure the validity of the document. The procurement or purchasing department should be there. If they have a contracts department, they should be on the committee. The human resources and finance departments must be included, because they support the sustainability of the policy. For very large organisations that touch the public, the public relations department should also be involved," states Prasad.

Prasad emphasises that the CEO of the company should chair any steering committee meeting or any policy approval meetings. He will have to be the one who actually approves and also ensures compliance across the organisation. While the steering committee will be involved in setting down the basics that will go into the policy, the actual writing of the policy will have to be done by concerned experts.

"The actual policy should be written by professional writers. We have seen that when policies are written by the purely technical guys, even with the guidance of the steering committee, they tend to be either too comprehensive and over-engineer the policy, or they tend to make it too broad. This is why it is crucial to have a competent writer forming the policy," states Prasad.

Khan agrees: "For writing the policy, the company needs to hire a good, security technical writer. These are people who have experience in writing security policies. They are available in the Middle East, and if companies are willing to pay the price, they can get the quality that they require as writers."

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code